[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: group access "write" in OpenLDAP 2.1.4
On 13 Sep 2002 09:37:47 +0200
Tony Earnshaw <tonni@billy.demon.nl> wrote:
Tony,
thank you for your advice, but I have some troubles, yet.
> > I have created the following group.
> > +-dc=example,dc=com
> > +--cn=administrators,dc=example,dc=com
> > +--cn=fred blogs,dc=example,dc=com
>
> You haven't said whether you've made a record for Fred Bloggs, but I
> presume you have.
Yes. I have created a record for fred blogs.
And now, I have created a new record for michiko nagara.
cn=michiko nagara,dc=example,dc=com
> > dn:cn=administrators,dc=example,dc=com
> > cn: administrators of this region
> > objectclass: groupOfNames
> > objectclass: top
> > member: cn=fred blogs,dc=example,dc=com
> > member: cn=somebody else,dc=example,dc=com
>
> O.k.
>
> > access to *
> > by group="cn=administrators,dc=example,dc=com" write
> > by * auth
>
> I have a group, peoplemanagers, that has *limited* rights to change
> certain attributes of members of a local group. These attributes are
> personal details, such as phone number, password etc.
>
> This is the relevant line from my ACL, it works :-) This is on a single
> line:
>
> by group="cn=peoplemanagers,ou=groups,dc=billy,dc=demon,dc=nl"
> dnattr=member write
I have changed my acl to the following.
access to *
by group="cn=administrators,dc=example,dc=com" dnattr=member write
by * auth
I tried to modify dn "cn=fred blogs,dc=example,dc=com",
I got a error mesage:
ldap_modify: Insufficient access (50)
And I tried to modify dn "cn=michiko nagara,dc=example,dc=com",
I got the same error message.
> Well, it works for me (with 2.1.4 /Berkeley 4.0.14). So, have you
> indexed objectclass in slapd.conf (eq,pres), and have you run slapindex
> (don't forget that the indices in the DB directory have to be able to be
> read by the slapd user).
I have indexed objectclass in slapd.conf:
index objectClass pres,eq
and run slapindex.
Then, I tried to search filter "(objectclass=*)", but I got
no entries.
--
In my previous mail.
When I used OpenLDAP 2.1.3 with same acl as the above-mentioned,
I could get all entries.
Also, I changed group.c v1.9.2.4 to v1.9.2.3 in OpenLDAP 2.1.4
and rebuilt, I could get all entries.
I have set acl as below:
access to *
by group="cn=administrators,dc=example,dc=com" write
by * auth
I could modify dn "cn=fred blogs,dc=example,dc=com"
and dn "cn=michiko nagara,dc=example,dc=com", with OpenLDAP 2.1.3.
And I could get all entries with OpenLDAP 2.1.3.
However, I cannot get any entries with OpenLDAP 2.1.4.
Thanks.
------
Michiko NAGARA